Note: This has nothing to do with browser caching. Before each test I stop/restart JBoss and the browser session. Whether I hit just the context root first or specify index.jsp first I see the described behavior.
Note: I can get around this by specifying:
In the security constraint though I don't want to do that. This test, however, makes it seem like JBoss is accessing some internal .jsp prior to hitting index.jsp. Bizzare I know, grasping at straws here as to a reason for this behavior.
That workaround aside it certainly seems like JBoss does not consider the context root and the context root with /index.jsp on the end to be the same in terms of the sec constraint.